Data Breach Notification Policy
DATA BREACH NOTIFICATION POLICY
Organization: [Organization Name]
Address: [Organization Address]
Effective Date: [Policy Effective Date]
Privacy Officer: [Privacy Officer Name] | [Privacy Officer Email]
1. PURPOSE AND SCOPE
1.1 Purpose. This Data Breach Notification Policy establishes the procedures that [Organization Name] will follow to identify, assess, contain, and notify affected parties of any actual or suspected breach of personal information or other protected data in its custody or control.
1.2 Scope. This Policy applies to all employees, contractors, vendors, and agents of [Organization Name] who have access to personal information or other protected data maintained by the organization.
1.3 Applicable Regulations. This Policy is designed to comply with: [Regulatory Framework], and all applicable state data breach notification laws including the laws of the State of [Primary State].
2. DEFINITIONS
2.1 "Personal Information" means any information that identifies or could reasonably be linked to an identified individual, including name, Social Security number, date of birth, government-issued identification number, financial account number, credit or debit card number, medical or health insurance information, login credentials, or biometric data.
2.2 "Security Breach" means any actual or reasonably suspected unauthorized access to, acquisition, disclosure, use, modification, or destruction of Personal Information maintained by the organization in any form (electronic or physical).
2.3 "Notifiable Breach" means a Security Breach that, following a risk assessment, is determined to have resulted in unauthorized acquisition of unencrypted Personal Information that is reasonably likely to cause harm to affected individuals, triggering notification obligations under applicable law.
3. DETECTION AND INITIAL RESPONSE
3.1 Detection Methods. The organization uses the following methods to detect potential security incidents: [Detection Methods].
3.2 Reporting Obligation. All employees and contractors who discover or suspect a security incident must report it immediately to the Privacy Officer at [Privacy Officer Email]. Delay in reporting is prohibited.
3.3 Initial Response. Upon receiving a report of a potential breach, the following steps shall be taken immediately: [Initial Response Steps].
3.4 Incident Response Team. The following individuals and roles shall constitute the Incident Response Team responsible for coordinating the organization's response: [Incident Response Team].
4. BREACH ASSESSMENT
4.1 Risk Assessment. Upon containment of the incident, the Privacy Officer shall conduct or commission a risk assessment to determine: (a) the nature and category of Personal Information involved; (b) whether the data was encrypted; (c) the number and identity of affected individuals; (d) the likelihood that the information has been or will be misused; and (e) the potential harm to affected individuals.
4.2 Escalation Timeline. [Notification Timeline].
4.3 Legal Counsel. Legal counsel shall be notified of any potential Notifiable Breach immediately, to assess the organization's notification obligations under applicable federal and state law.
5. NOTIFICATION PROCEDURES
5.1 Notification Deadline. [External Notification Deadline].
5.2 Content of Notification. Notifications to affected individuals shall include: (a) a description of what occurred; (b) the categories of Personal Information involved; (c) steps the organization is taking to address the breach; (d) steps individuals can take to protect themselves; (e) contact information for the Privacy Officer; and (f) information about any credit monitoring services being provided.
5.3 Regulatory Notification. Where required by applicable law, the organization shall notify the relevant state attorney general, regulatory agency, or consumer reporting agencies of any Notifiable Breach, within the timeframes prescribed by law.
5.4 Method of Notification. Individual notifications shall be provided by first-class mail, email (if the affected individual has previously consented to electronic communications), or, in the case of a breach affecting more than the number of individuals permitted by applicable law, by substitute notice (conspicuous website posting and notice to major statewide media).
6. DOCUMENTATION AND RECORDKEEPING
6.1 Incident Log. The Privacy Officer shall maintain a written log of all security incidents, including the date of discovery, nature of the incident, data involved, individuals affected, response actions taken, and notifications sent.
6.2 Retention. All incident documentation, investigation records, risk assessment reports, and notification records shall be retained for [Retention Period].
6.3 Policy Review. This Policy shall be reviewed [Policy Review Frequency] and updated as necessary to reflect changes in applicable law, the organization's data processing activities, and industry best practices.
ADOPTED BY [Organization Name]
Authorized Signature: _______________________________ Date: _______________
Printed Name and Title: _______________________________________________
Privacy Officer Acknowledgment:
Signature: _______________________________ Date: _______________
Printed Name: [Privacy Officer Name]
Authorized Representative
________________
Signature
Privacy Officer
________________
Signature
What Is a Data Breach Notification Policy?
A Data Breach Notification Policy in the United States sets out the rules and standards the organisation expects those it covers to follow.
The legal obligation to notify affected individuals of data breaches is one of the most pervasive compliance requirements in US law. All 50 US states, the District of Columbia, Puerto Rico, Guam, and the US Virgin Islands have enacted data breach notification statutes. Although these laws vary significantly in their definitions, timelines, and content requirements, they share a common structure: when personal information is acquired without authorization by an unauthorized person, the organization holding that data must notify affected individuals and, in most states, notify a state regulator.
Federal sector-specific laws add additional layers. The Health Insurance Portability and Accountability Act (HIPAA) Security Rule (45 CFR §§ 164.302-318) and the HIPAA Breach Notification Rule (45 CFR §§ 164.400-414) require covered entities — hospitals, clinics, health insurers, and their business associates — to notify affected individuals within 60 days of discovering a breach of protected health information (PHI), notify the US Department of Health and Human Services (HHS), and for breaches affecting 500 or more residents of a state or jurisdiction, notify prominent media outlets in that state. The FTC's Standards for Safeguarding Customer Information (the Safeguards Rule, 16 CFR Part 314), updated in 2021, require financial institutions covered by the Gramm-Leach-Bliley Act (GLBA) to notify the FTC within 30 days of discovering a breach affecting 500 or more customers.
A Data Breach Notification Policy is distinct from an Incident Response Plan (IRP) — a broader cybersecurity document that covers all types of security incidents including those that do not involve personal data — and from a Privacy Policy. The Notification Policy is the specific subset of the IRP that addresses the legal compliance obligations triggered by a notifiable data breach: who decides whether a breach is notifiable, who drafts the notification letters, who notifies regulators, and what records are maintained to document compliance.
The Federal Trade Commission (FTC) has used its Section 5 authority under the FTC Act (15 U.S.C. § 45) to take enforcement action against companies with inadequate data breach response programs, including against Equifax (2019 settlement of up to $700 million), Capital One, and numerous smaller organizations. A documented Data Breach Notification Policy provides evidence that the organization maintains reasonable security practices — a critical factor in FTC investigations and state attorney general enforcement actions.
When Do You Need a Data Breach Notification Policy?
A US Data Breach Notification Policy is needed by every organization that collects, stores, or processes personal information about US residents — which, given the breadth of state breach notification laws, encompasses virtually every business, nonprofit, educational institution, and government entity operating in the United States.
For healthcare organizations — hospitals, physician practices, health insurers, pharmacy benefit managers, and their IT vendors and business associates — a Data Breach Notification Policy is required by HIPAA's Breach Notification Rule (45 CFR § 164.400). The HHS Office for Civil Rights (OCR) actively enforces HIPAA breach notification requirements and maintains a public breach portal tracking all reported breaches affecting 500 or more individuals. OCR has imposed civil monetary penalties ranging from $100 to $1.9 million per violation category per year, with annual caps up to $1.9 million.
For financial services companies subject to the Gramm-Leach-Bliley Act — including banks, credit unions, mortgage lenders, insurance companies, and securities broker-dealers — the FTC Safeguards Rule (16 CFR Part 314) and federal banking regulators' guidance (OCC, FDIC, Federal Reserve, NCUA) require written information security programs that include incident response and notification procedures. California financial institutions are also subject to the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) breach notification provisions under California Civil Code § 1798.82.
For retail businesses, e-commerce companies, and other organizations handling consumer payment card data, the Payment Card Industry Data Security Standard (PCI DSS) — a contractual requirement imposed by Visa, Mastercard, American Express, Discover, and JCB — requires an incident response plan and breach notification procedure as part of PCI DSS Requirement 12.10.
Schools and educational institutions handling student records under the Family Educational Rights and Privacy Act (FERPA, 20 U.S.C. § 1232g) need Data Breach Notification Policies that address both FERPA's privacy obligations and applicable state breach notification laws, which generally apply to educational institutions as data holders.
Any organization that suffered a prior data breach — or that operates in a sector targeted by ransomware, phishing, or supply chain attacks, including technology companies in California, financial firms in New York, and energy companies in Texas — needs a documented Data Breach Notification Policy to satisfy regulators, cyber liability insurers, and business partners who conduct vendor security assessments.
What to Include in Your Data Breach Notification Policy
A complete US Data Breach Notification Policy must address the full lifecycle of a breach response, from initial detection through final regulatory reporting. The following components are essential in any professionally prepared policy.
The scope and definitions section defines key terms: what constitutes "personal information" covered by the policy (name plus Social Security number, financial account number, driver's license number, medical information, biometric data, or other identifiers specified by applicable state laws including California Civil Code § 1798.82, New York General Business Law § 899-aa, and Texas Business & Commerce Code § 521.002); what constitutes a "breach" requiring notification (unauthorized acquisition of unencrypted personal information, as distinguished from mere unauthorized access without acquisition); and which organizational units and data systems are covered.
The breach detection and reporting procedures section specifies how employees, contractors, and IT staff identify and report potential security incidents, the internal escalation path from initial report to the designated Incident Response Team (IRT), and the time standard for internal escalation — typically 24 to 48 hours after detection, to allow timely regulatory notification downstream.
The investigation and risk assessment section establishes the process for determining whether a security incident constitutes a notifiable breach. This assessment applies the applicable legal standard: most states require notification upon unauthorized acquisition of unencrypted personal information; HIPAA requires a four-factor risk assessment under 45 CFR § 164.402 to determine whether there is a low probability that PHI was compromised. The policy should specify who conducts the assessment (internal counsel, outside counsel, forensic investigators), what documentation is required, and the maximum time allowed before a notification decision is made — typically no more than 30 days from discovery, to comply with the strictest state notification timelines.
The notification procedures section specifies the required content of individual breach notifications (type of breach, categories of information involved, steps taken to mitigate harm, contact information, and credit monitoring offers), the method of notification (written letter, email, or substitute notice by website posting and media for breaches affecting large numbers of individuals), and the procedures for notifying state attorneys general, the HHS OCR, the FTC, banking regulators, and other agencies as required by applicable law.
The recordkeeping section requires the organization to document all aspects of each breach investigation and notification response — forensic investigation reports, risk assessment conclusions, notification letters and mailing records, regulatory filings, and internal communications — for the applicable statute of limitations period. For HIPAA covered entities, breach documentation must be retained for 6 years under 45 CFR § 164.414(b).
The policy review and testing section requires annual review of the policy and tabletop exercises simulating breach scenarios to test the IRT's readiness. Insurers providing cyber liability coverage — a standard requirement for technology companies, healthcare organizations, and financial institutions — frequently require evidence of annual policy review and testing as a condition of coverage.
Sources & Citations
Statutory citations link to official government sources.
- 15 U.S.C. § 45US – Cornell LII
- 20 U.S.C. § 1232gUS – Cornell LII
- 45 CFR §§ 164.302US – eCFR
- 45 CFR §§ 164.400US – eCFR
- 45 CFR § 164.400US – eCFR
- 45 CFR § 164.402US – eCFR
- 45 CFR § 164.414US – eCFR
- Health Insurance Portability and Accountability ActUS – Cornell LII
- HIPAAUS – Cornell LII
- California Consumer Privacy ActCA (US) official
Cite this page
Reference this free template in an article, syllabus, or research note:
Forms Legal. (2026). Data Breach Notification Policy (United States) [Legal document template]. Forms Legal. https://forms-legal.com/usa/business/policies/data-breach-notification-policy
"Data Breach Notification Policy (United States)." Forms Legal, 2026, https://forms-legal.com/usa/business/policies/data-breach-notification-policy.
@misc{formslegal-data-breach-notification-policy,
author = {{Forms Legal}},
title = {Data Breach Notification Policy (United States)},
year = {2026},
howpublished = {\url{https://forms-legal.com/usa/business/policies/data-breach-notification-policy}},
note = {Free legal document template. Based on Uniform Commercial Code (UCC)}
}Also available for these jurisdictions:
Frequently Asked Questions
All 50 US states, the District of Columbia, Puerto Rico, Guam, and the US Virgin Islands have enacted data breach notification laws that require businesses to notify affected individuals when their personal information is compromised in a security breach. While the specific requirements vary significantly by state, most state laws share common elements: a definition of 'personal information' (typically name combined with Social Security number, financial account number, driver's license number, or medical information); a definition of 'breach' requiring unauthorized acquisition of unencrypted personal data; a notification timeline (ranging from 30 days in states like Florida and New York to 'expedient time' or 'reasonable time' in others); and required content for the notification letter. In addition to state laws, federal sector-specific laws impose additional breach notification requirements: HIPAA requires notification of breaches of protected health information within 60 days of discovery; the Gramm-Leach-Bliley Act (as implemented by FTC safeguards rules) requires financial institutions to notify the FTC of breaches affecting 500 or more customers within 30 days; and the FTC Act's prohibition on unfair or deceptive acts and practices may apply to organizations that fail to implement reasonable security measures.
While the required content of breach notifications varies by state, most state laws require the notification to include: a description of what happened (the nature of the breach); a description of the categories and specific types of personal information that were or are reasonably believed to have been subject to unauthorized access; steps the business is taking to investigate the breach, mitigate harm, and protect against future breaches; contact information for the business, including a toll-free phone number where affected individuals can call to ask questions; steps affected individuals can take to protect themselves, such as placing a fraud alert or credit freeze; and information about any free credit monitoring services being offered. Some states, including California and New York, have specific required language for the notification. If more than 500 or 1,000 residents of a particular state are affected (the threshold varies), most states also require notification to the state attorney general or relevant regulatory agency.
Notification timelines vary significantly by state. The strictest states — including Florida (30 days), New York (30 days for state agency notification), and Ohio (45 days) — impose hard deadlines measured from discovery or determination of the breach. Other states require notification 'in the most expedient time possible and without unreasonable delay,' which courts and regulators have generally interpreted to mean no more than 60 to 90 days in the absence of legitimate factors requiring additional time. A few states, such as Delaware and South Carolina, expressly provide for a 60-day maximum. Federal laws have their own timelines: HIPAA requires notification within 60 days of discovery; FTC safeguard rules for financial institutions require notice within 30 days. Businesses operating in multiple states must comply with the notification timeline of each state whose residents are affected. Because states' 'clock' for notification typically begins at discovery (not at completion of an investigation), it is critical to begin the notification process promptly, even if the full scope of the breach is not yet known.
A Data Breach Notification Policy is one component of a broader information security and incident response program. Its role is to confirm that when a breach occurs, the organization has a pre-established, documented procedure that all relevant personnel understand and can execute efficiently. Without a written policy, organizations responding to a breach often waste critical time deciding who is responsible for what, who has authority to notify regulators and customers, and what information needs to be gathered before notification can be sent. A written policy reduces response time, ensures legal obligations are met, and demonstrates to regulators, customers, and business partners that the organization takes data security seriously. Regulators — including state attorneys general and the FTC — have taken enforcement action against organizations that failed to have adequate incident response plans, citing the absence of a written policy as evidence of unreasonable security practices. The policy should be reviewed and tested (via tabletop exercises) at least annually and updated whenever there are material changes to the organization's systems, data processing activities, or applicable legal requirements.
Not every security incident constitutes a 'breach' requiring notification under state or federal law. Most state breach notification laws define a notifiable breach as the unauthorized acquisition of unencrypted personal information, meaning the mere access to or acquisition of encrypted data typically does not trigger notification if the encryption key was not also compromised. Many states provide a 'risk of harm' exception: if the business can demonstrate, through a documented risk assessment, that the breach is unlikely to cause harm to the affected individuals (for example, because the data was accessed by an authorized employee who accidentally saw information they were not supposed to see, but did not misuse it), notification may not be required. The FTC's breach rule for health information uses a 'low probability of compromise' standard for the same purpose. Because the determination of whether a security incident constitutes a notifiable breach involves complex factual and legal analysis, organizations should engage legal counsel as soon as a potential breach is discovered to assess notification obligations.
This template is provided for informational purposes only and does not constitute legal advice. Laws vary by jurisdiction and change over time. Consult a qualified attorney for advice specific to your situation.Full disclaimer
Found an error? Let us knowRelated Documents
You may also find these documents useful:
Privacy Policy
Running a website or app that collects any user data — even just an email for a newsletter? You legally need a Privacy Policy. It's not optional; regulations like GDPR and CCPA require you to tell users what data you collect, why you collect it, and how you protect it. Without one, you risk fines and lost trust. Our free template helps you cover data collection practices, cookie usage, third-party sharing, user rights, and contact information. Fill in the details, preview your policy, and download it as PDF or Word — no account needed.
Data Sharing Agreement
Define the terms for sharing confidential data between organizations with this US Data Sharing Agreement. Covers permitted uses, security obligations, data subject rights, breach notification, and compliance with CCPA, HIPAA, and applicable state privacy laws.
Nda Mutual
Create a professional Mutual Non-Disclosure Agreement (NDA) with our free online generator. Protect confidential information shared between two parties during business negotiations, joint ventures, or partnership discussions. Both parties agree to keep shared trade secrets, financial data, and proprietary information confidential. Define the scope of protected information, duration, exceptions, and remedies for breach. Preview in real time and download as PDF or Word. Electronic signature support included. Ideal for business partnerships, merger discussions, and technology collaborations. Enforceable across all 50 US states.
HIPAA Authorization Form
Need to share your medical records with a new doctor, an insurance company, or a family member? A HIPAA Authorization Form gives the green light for a covered entity to release your protected health information — but only to the specific people you choose. This template lets you specify exactly which records to share, the purpose of the disclosure, and a clear expiration date. Revoke it whenever you want. Fill out the details, preview instantly, and download as PDF or Word — completely free, no sign-up required.